This topic describes various ways to get details about the policies in your organization. These procedures apply to all policy types. You must enable a policy type on the organization root before you can attach policies of that type to any entities in that organization root.
Topics
Listing all policies
Minimum permissions
To list the policies within your organization, you must have the following permission:
-
organizations:ListPolicies
You can view the policies in your organization in the AWS Management Console or by using an AWS Command Line Interface (AWS CLI) command or an AWS SDK operation.
To list all of the policies in your organization
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Policies
page, choose the policy type that you want to list. If the specified policy type is enabled, the console displays a list of all of the policies of that type that are currently available in the organization.
-
Return to the Policies
page and repeat for each policy type.
The following code examples show how to use ListPolicies
.
Listing the policies attached to a root, OU,
or account
Minimum permissions
To list the policies that are attached to a root, organizational unit (OU), or account within your organization, you must have the following permission:
-
organizations:ListPoliciesForTarget
with aResource
element in the same policy statement that includes the Amazon Resource Name (ARN) of the specified target (or "*")
To list all policies that are attached directly to a specified root, OU, or account
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the AWS accounts
page, choose the name of the root, OU, or account whose policies you want to view. You might have to expand OUs (choose the ) to find the OU that you want.
-
On the Root, OU, or account page, choose the Policies tab.
The Policies tab displays all of the policies attached to that root, OU, or account, grouped by policy type.
Listing all roots, OUs, and accounts
that a policy is attached to
Minimum permissions
To list the entities that a policy is attached to, you must have the following permission:
-
organizations:ListTargetsForPolicy
with aResource
element in the same policy statement that includes the ARN of the specified policy (or "*")
To list all roots, OUs, and accounts that have a specified policy attached
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Policies
page, choose the policy type, and then choose the name of the policy whose attachments you want to examine. -
Choose the Targets tab, to display a table of every root, OU, and account that the chosen policy is attached to.
Getting details about a policy
Minimum permissions
To display the details of a policy, you must have the following permission:
-
organizations:DescribePolicy
with aResource
element in the same policy statement that includes the ARN of the specified policy (or "*")
To get details about a policy
-
Sign in to the AWS Organizations console
. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account. -
On the Policies
page, choose the policy type of the policy that you want to examine, and then choose the name of the policy. The policy page displays the available information about the policy, including its ARN, description, and attached targets.
-
The Content tab shows the current contents of the policy in JSON format.
-
The Targets tab shows a list of the roots, OUs, and accounts to which the policy is attached.
-
The Tags tab shows the tags attached to the policy. Note: the Tags tab is not available for AWS managed policies.
To edit the policy, choose Edit policy. Because each policy type has different editing requirements, see the instructions for creating and updating policies of your specified policy type.
-
The following code examples show how to use DescribePolicy
.